These are root name servers. Do you have a name server running? UDP (and TCP in cases where the DNS response exceeds the size of UDP) responses from port 53 on a root name server wouldn't cause immediate suspicion. I'm guessing you have a recursive name server (or some other application attempting recursion) and these responses are part of normal DNS recursion. --Joe -----Original Message----- From: LAVELLE,MICHAEL (HP-PaloAlto,ex1) [mailto:mlavelleat_private] Sent: Tuesday, April 16, 2002 11:36 AM To: incidentsat_private Subject: Strange UDP Activity Greetings to the List, I recently started seeing strange UDP traffic to my home DSL, which is included below. It has been active for the last 4 days at all hours. None of these IPs are DNS servers that I use, and much of the activity is when all of my computers are off. Google led me to port 1067 as being an SNMP port, but I have SNMP disabled on all devices at home, and the ACL blocks it anyway. Is there a new vulnerability going around that I missed? So far I have not read anything on the list that looks like this...any ideas? Thanks for listening, Mike ___________________________ Apr 14 22:44:42: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.36.148.17(53) -> X.X.55.121(1067), 4 packets Apr 14 22:44:42: %SEC-6-IPACCESSLOGP: list 100 denied udp 202.12.27.33(53) -> X.X.55.121(1067), 4 packets Apr 14 22:44:42: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.112.36.4(53) -> X.X.55.121(1067), 3 packets Apr 14 22:44:42: %SEC-6-IPACCESSLOGP: list 100 denied udp 198.32.64.12(53) -> X.X.55.121(1067), 5 packets Apr 14 22:46:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.33.4.12(53) -> X.X.55.121(1067), 1 packet Apr 14 22:46:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.5.5.241(53) -> X.X.55.121(1067), 7 packets Apr 14 22:48:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 128.9.0.107(53) -> X.X.55.121(1067), 7 packets Apr 14 22:48:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 193.0.14.129(53) -> X.X.55.121(1067), 7 packets Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 128.8.10.90(53) -> X.X.55.121(1067), 4 packets Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 128.63.2.53(53) -> X.X.55.121(1067), 3 packets Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.203.230.10(53) -> X.X.55.121(1067), 6 packets Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 198.41.0.4(53) -> X.X.55.121(1067), 3 packets Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 198.41.0.10(53) -> X.X.55.121(1067), 3 packets Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.36.148.17(53) -> X.X.55.121(1067), 3 packets ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Apr 16 2002 - 10:45:49 PDT